Cisco CCNP Security 300-715 Questions & Answers

• Question 31:

  An engineer is working on a switch and must tag packets with SGT values such that it learns via SXP. Which command must be entered to meet this requirement?

  A. ip source guard

  B. ip dhcp snooping

  C. ip device tracking maximum

  D. ip arp inspection

  Correct Answer: C

  The ip device tracking maximum command is used to configure the maximum number of IP-to-SGT bindings that can be learned via SXP on a switch1. This command also enables the switch to tag packets with SGT values based on the bindings learned from SXP peers. The other commands are not related to SGT tagging or SXP learning.

• Question 32:

  A network security administrator needs a web authentication configuration when a guest user connects to the network with a wireless connection using these steps:

  An initial MAB request is sent to the Cisco ISE node.

  Cisco ISE responds with a URL redirection authorization profile if the user's MAC address is unknown in the endpoint identity store.

  The URL redirection presents the user with an AUP acceptance page when the user attempts to go to any URL.

  Which authentication must the administrator configure on Cisco ISE?

  A. device registration WebAuth

  B. WLC with local WebAuth

  C. wired NAD with local WebAuth

  D. NAD with central WebAuth

  Correct Answer: D

  Central Web Authentication (CWA) is a feature that allows the network access device (NAD) to redirect the web traffic of a guest user to a web portal hosted by Cisco ISE1. The NAD acts as a proxy between the guest user and the ISE node, and performs the authentication and authorization based on the RADIUS attributes returned by ISE1. To configure CWA on ISE, the administrator must create an authorization profile that contains the URL redirection attribute and assign it to the guest user1. The other options are not correct because they do not use CWA. Device registration WebAuth is a feature that allows users to register their devices on ISE before they can access the network2. WLC with local WebAuth is a feature that allows the wireless LAN controller (WLC) to host the web portal and authenticate the guest user locally3. Wired NAD with local WebAuth is a feature that allows the switch to host the web portal and authenticate the guest user locally.

• Question 33:

  An engineer is adding a new network device to be used with 802.1X authentication. After configuring the device, the engineer notices that no endpoints that connect to the switch are able to authenticate. What is the problem?

  A. The command dot1x system-auth-control is not configured on the switch.

  B. The switch's supplicant is unable to establish a connection to Cisco ISE.

  C. The command dot1x critical vlan 40 is not configured on the switch ports.

  D. The endpoint firewalls are blocking the EAPoL traffic.

  Correct Answer: A

• Question 34:

  An enterprise uses a separate PSN for each of its four remote sites. Recently, a user reported receiving an "EAP-TLS authentication failed" message when moving between remote sites. Which configuration must be applied on Cisco ISE?

  A. Use a third-party certificate on the network device.

  B. Add the device to all PSN nodes in the deployment.

  C. Renew the expired certificate on one of the PSN.

  D. Configure an authorization profile for the end users.

  Correct Answer: B

  When using separate PSNs for different sites, the network device must be added to all PSN nodes in the deployment, so that the device can communicate with the appropriate PSN based on the location of the user1. If the device is not added to all PSN nodes, the user may encounter an EAP-TLS authentication failure when moving between sites, as the device may not be able to reach the PSN that issued the certificate2. The other options are not relevant for this scenario, as they do not address the issue of PSN communication.

• Question 35:

  An engineer is starting to implement a wired 802.1X project throughout the campus. The task is for failed authentication to be logged to Cisco ISE and also have a minimal impact on the users. Which command must the engineer configure?

  A. authentication open

  B. pae dot1x enabled

  C. authentication host-mode multi-auth

  D. monitor-mode enabled

  Correct Answer: D

  In the context of a wired 802.1X deployment with Cisco ISE, the requirement is to log failed authentications while minimizing user impact. Let's analyze each option:

  A. authentication open - This command configures the port to allow network access regardless of the authentication state. It's useful in situations where specific devices can't perform 802.1X authentication but should still be allowed network access. However, it doesn't specifically address the logging of failed authentications.

  B. pae dot1x enabled - PAE (Port Access Entity) refers to the entity on a network device that enforces access control. This command enables 802.1X on the port, which is a prerequisite for implementing 802.1X, but doesn't directly relate to logging failed authentication attempts.

  C. authentication host-mode multi-auth - This command configures the port to allow multiple authenticated sessions. This mode is used when multiple devices are connected to the same port (like in a conference room). While it's relevant for 802.1X environments, it doesn't specifically cater to logging failed authentications or minimizing user impact.

  D. monitor-mode enabled - This command is used in the context of 802.1X to enable Monitor Mode on a port. Monitor Mode allows a port to grant limited network access to endpoints without 802.1X capabilities. It's often used to ease the deployment of 802.1X by monitoring the authentication status without fully enforcing access control, thereby minimizing user impact. It also helps in logging authentication attempts, including failures. Given these options, the most appropriate command for logging failed authentications while having minimal impact on users would be D. monitor-mode enabled. This command ensures that authentication attempts are monitored and logged, including failures, without fully restricting access, thus minimizing the impact on users who might face issues with the authentication process.

• Question 36:

  A network engineer is in the predeployment discovery phase of a Cisco ISE deployment and must discover the network. There is an existing NMS in the network. Which type of probe must be configured to gather the information?

  A. SNMP

  B. NMAP

  C. NetFlow

  D. RADIUS

  Correct Answer: A

• Question 37:

  An engineer must organize endpoints in a Cisco ISE identity management store to improve the operational management of IP phone endpoints. The endpoints must meet these requirements:

  1.

  classify endpoints for finance, sales, and marketing departments

  2.

  tag each endpoint as profiled

  Which action organizes the endpoints?

  A. Add a tag for the endpoints of each department and use the identity group filter.

  B. Create an endpoint identity group for each department with the profiled parent group.

  C. Add a tag for the endpoints of each department and add an endpoint to profiled group.

  D. Create an endpoint identity group for each department with the IP phone parent group.

  Correct Answer: B

• Question 38:

  A network engineer must remove a device that has been allowlisted. How should the engineer remove it manually on Cisco ISE?

  A. Administration > Identity Management > Endpoint Identity Groups > Profiled

  B. Administration > Identity Management > Groups > Endpoint Identity Groups

  C. Administration > Identity Management > Groups > Endpoint Identity Groups > Profiled

  D. Administration > Identity Management > Endpoint Identity Groups

  Correct Answer: B

• Question 39:

  Which file setup method is supported by ZTP on physical appliances?

  A. cfg

  B. iso

  C. img

  D. ova

  Correct Answer: C

• Question 40:

  What is configured to enforce the blocklist permissions and deny access to clients in the blocklist to protect against a lost or stolen device obtaining access to the network?

  A. My Devices portal

  B. blocklist portal

  C. Authentication rule

  D. Authorization rule

  Correct Answer: D